If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

SMTP analisys...

Hi all, someone knows good software to inspect smtp logs (W3C format) of an SMTP Exchange server? I've opened one week ago in a server that doesn't still have MX register and the log's are huge! I would like to know what's going on...

Sanitize a portion of it and post it here 'cos I think you have been hijacked if you don't have an MX record yet.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

I have some bad news...... You are compromised in some way because your server denied me relay.

You say that a session must be authenticated before it will allow relay. Change the authentication key and see if the activity stops. If it does then you need to keep changing it regularly and make it extremely complex. If it doesn't stop it then you are going to have to begin an investigation as to how they got on the box. Start with Virus and Trojan scanning and do complete scans of the entire machine. Use The Cleaner to scan for trojans and make sure that all definitions are updated before you do.

Since you say there is no MX record set up yet I assume this is not a production server. That being the case I would block outbound SMTP from it at the firewall.... You do have a firewall, don't you?

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Ok, i'll will explain you the situation. We use to receive email through an ISP that own the MX. Now, we are preparing to get the MX. This server have opened IMAP over SSL and SMTP over SSL with authentication to allow corporate users send and receive mail from internet. Few days ago i opened SMTP with anonymous authentication (but only relaying WITH authentication) to begin the test of redirect MX to it. I left this opened and today, when i look i found this huge logs... Now, i configured the server to allow only encrypted authentication (no anonymous sessions) and it stopped... so, if it is compromised, it would be the same even if only authenticaed sessions are allowed to send mail, isn't it?

Then you are fixed..... I didn't try authing to the server just a simple relay check. Leaving the anon auth wasn't a good idea. Once you checked functionaility with anon I would have gone back to SSL encrypted auth and tested further from there because at that point I already know anon works thus the server is working. Any problems from that point on would be at the SSL level.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Just a thought. Why don't you use OWA over SSL. Then you can limit the allow relay to the local subnet only, it will give your users some more functionaility and you already seem to have the hard part set up anyway, (SSL).

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

I changed SMTP to anonymous because we are going to move the MX to this server....

I don't think that the bad thing was enable anonymous acces (that was enabled without relay), i think that the bad idea was enable basic auth without SSL... Next week i will test anon an auth w SSL only.